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(57) Abstract: A security system (100) assesses the response time to requests for information to determine whether the responding 
system (132 t 142) is in physical proximity to the requesting system. Generally, physical proximity corresponds to temporal prox- 
imity. If the response time indicates a substantial or abnormal lag between request and response, the system assumes that the lag 
is caused by the request and response having to travel a substantial or abnormal physical distance, or caused by the request being 
processed to generate a response, rather than being answered by an existing response in the physical possession of a user. If a sub- 
stantial or abnormal lag is detected, for example due to the fact that the information was downloaded from the Internet (140, 144), 
the system ( 100) is configured to limit subsequent access to protected material by the current user, and/or to notify security personnel 
of the abnormal response lag. 
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BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

This invention relates to the field of data protection, and in particular to 
protecting data from illicit copying from a remote location. 

5 

2. Description of Related Art 

The protection of data is becoming an increasingly important area of security. 
In many situations, the authority to copy or otherwise process information is correlated to the 
physical proximity of the information to the device that is effecting the copying or other 

10 processing. For example, audio and video performances are recorded on CDs, DVDs, and the 
like. If a person purchases a CD or DVD, the person traditionally has a right to copy or 
otherwise process the material, for backup purposes, to facilitate use, and so on. When the 
person who purchased the material desires to use the material, it is not unreasonable to 
assume that the person will have the CD or DVD within physical proximity of the device that 

1 5 will use the material. If, on the other hand, the person does not have proper ownership of the 
material, it is likely that the person will not have physical possession of the material, and 
hence, the material will be physically remote from the device that is intended to use the 
material. For example, the illicit copying or rendering of material from an Internet site or 
other remote location corresponds to material being physically remote from the device that is 

20 used to copy the material. 

In like manner, security systems are often configured to verify information 
associated with a user, such as verifying biometric parameters, such as fingerprints, pupil 
scans, and the like. In a simpler example, security systems are often configured to process 
information provided by a user, such as information contained on an identification tag, 

25 smartcard, etc. Generally, the information or parameters can be provided easily by an 

authorized user, because the authorized user is in possession of the media that contains the 
information. An unauthorized user, on the other hand will often not have the original media 
that contains the verification information, but may have a system that can generate/regenerate 
the security information or parameters from a remote location. 
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Similarly, some systems, such as an office LAN, or computers in a laboratory, 
are configured to be secured by controlling physical access to terminals that are used to 
access the system. If the user has access to the system, the assumption is that the user is 
authorized to access the system. Some security measures, such as identification verification, 
5 are sometimes employed, but typically not as extensively as the security measures for 
systems that lack physical isolation. 

BRIEF SUMMARY OF THE INVENTION 

It is an object of this invention to provide a system or method of preventing 

10 the use of material in the absence of evidence that the material is in the physical possession 
of the user. It is a further object of this invention to prevent the use of material in the 
presence of evidence that the material is remote from the device that is intended to use the 
material. It is a further object of this invention to prevent access to systems in the presence of 
evidence that the user is remote from the system. 

1 5 These objects and others are achieved by providing a security system that 

assesses the response time to requests for information. Generally, physical proximity 
corresponds to temporal proximity. If the response time indicates a substantial or abnormal 
lag between request and response, the system assumes that the lag is caused by the request 
and response having to travel a substantial or abnormal physical distance, or caused by the 

20 request being processed to generate a response, rather than being answered by an existing 
response in the physical possession of a user. If a substantial or abnormal lag is detected, the 
system is configured to limit subsequent access to protected material by the current user, 
and/or to notify security personnel of the abnormal response lag. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 

The invention is explained in further detail, and by way of example, with 
reference to the accompanying drawing wherein: 

FIG. 1 illustrates an example control access system in accordance with this 

invention. 

30 Throughout the drawing, the same reference numerals indicate similar or 

corresponding features or functions. 



WO 03/003687 PCT/IB02/02589 

3 

DETAILED DESCRIPTION OF THE INVENTION 

For ease of reference and understanding, the invention is presented herein in 
the context of a copy-protection scheme, wherein the processing of copy-protected material is 
controlled via a verification that the user of the material is in physical possession of the copy- 
5 protected material. 

FIG. 1 illustrates an example control access system 100 in accordance with 
this invention. The control access system 100 includes a processor 120 that is configured to 
process material from a physical media, such as a CD 130, via an access device 132, such as 
a reader. The storage medium 125 such as a processor 120 may be a recording device that 
1 0 records one or more songs from the CD 1 30 onto a memory stick, onto a compilation CD, 
and so on. The processor 120 may also be a playback device that is configured to provide an 
output suitable for human perception, such as images on a screen, sounds from a speaker 127, 
and so on. The term "rendering" is used herein to include a processing, transformation, 
storage, and so on, of material received by the processor 120. Using this context and 
15 terminology, the example processor 120 includes a renderer 122 that provides the interface 
with the access device 132, and a verifier 126 that is configured to verify the presence of 
authorized material 130. 

When a user commences the rendering of material from the media 130, the 
processor 120 is configured to verify the presence of the media 130. One method of effecting 
20 this verification is to request the access device 132 to provide evidence that the media 130 is 
available to provide material or information that differs from the material that the user is 
attempting to render. For example, if the user commences the rendering of a song, the verifier 
126 may direct the renderer 122 to request a portion of a different song from the access 
device 132. If the access device is unable to provide the requested portion of a different song, 
25 the verifier 126 can conclude that the media 130 is not actually present for rendering, and 
will terminate subsequent rendering of the material that the user intended to render, via the 
gate 124. 

For example, a user may illicitly download a selection of different copy- 
protected songs from a remote site 140 on the Internet 144, and then attempt to create a 
30 compilation CD containing these user-selected songs. Typically, the size of an entire album 
of material discourages the downloading of each album that contains the user-selected songs. 
When the verifier 126 requests a portion of a different song from the album corresponding to 
an actual CD 130, the user who downloaded only the user-selected song from the album will 
be prevented from further rendering of the downloaded material. 
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A variety of techniques may be employed to assure that the material provided 
in response to the request corresponds to the material that is contained on the actual CD 130. 
For example, internationa patent application WO 01/59705 (Attorney Docket US000040) 
teaches a self-referential data set wherein each section of a data set, such as a copy-protected 
5 album, is uniquely identified by a section identifier that is securely associated with each 

section. To assure that a collection of sections are all from the same data set, an identifier of 
the data set is also securely encoded with each section. Using exhaustive or random 
sampling, the presence of the entirety of the data set is determined, either absolutely or with 
statistical certainty, by checking the section and data-set identifiers of selected sections. 

1 0 The verification provided by the verifier 126 as described above can be 

defeated, however, by responding to the requests from the Tenderer 122 from the remote site 
140 that contains the entirety of the album. That is, rather than downloading the entire album 
from the remote site 140, the illicit user need only download the desired song, and imitate the 
presence of the actual CD 130 by providing a CD imitator 142 that provides access to 

15 requested material or portions of material via the Internet 144. When the verifier 126 requests 
a portion of a song, or section of a data set, the CD imitator 142 transforms the request into a 
download request from the remote site 140, and the requested section is provided to the 
renderer 122, as if it was provided from the CD 130. Assuming that, for practical purposes, 
the verifier 126 will be configured to only check for a few sections in an album, the use of the 

20 CD imitator 142 will result in a substantially reduced amount of data transfer, compared to 
the downloading of the entire album, and thus preferable for the illicit download of select 
songs. 

In accordance with this invention, the processor 120 includes a timer 128 that 
is configured to measure the time between a request from the verifier 126 and a response 

25 from an external source, either the actual CD 130, or the remote source 140, to facilitate an 
assessment by the verifier 126 of the physical proximity of the source of the response. In a 
preferred embodiment, the verifier 126 is configured to filter or average the response times, 
so as to allow for minor perturbations in the response time from an authorized source 130, 
while still being able to distinguish a response from a physically remote source 140. For 

30 example, using conventional statistical techniques, the verifier 126 may continue to request 
sections from the unknown source until a statistically significant difference from the expected 
response time of a local source 130 is detected. In a simpler embodiment, if the response time 
is below a delay threshold N out of M times, the verifier 126 is configured to conclude that 
the source must be local. These and other techniques for assessing physical proximity based 
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on temporal proximity will be evident to one of ordinary skill in the art in view of this 
disclosure. 

The principles of this invention are applicable to other applications as well. In 
an analogous application, for example, the renderer 122 and access device 132 may be 
5 challenge-response devices that are configured to exchange security keys, using for example, 
a smart card as the media 130. If an unauthorized user attempts to exchange keys by 
processing the challenge-responses via access to a system that is potentially able to overcome 
the security of the exchange, the timer 128 will be able to detect the abnormal lag between 
the challenge and response, and terminate the key-exchange. In like manner, if a system 

10 expects all accesses to be from terminals that are in a common physically secured area, the 
timer 128 will be able to detect abnormal lags if the system becomes a target of a remote 
access 'hacker 1 or other attempted accesses from outside the physically secured area. 

Preferably, the verifier 126 is configured to request random source 
information. In the example of a CD media 130, the verifier 126 is configured to request 

15 access to randomly selected sections on the media 130 until sufficient confidence is gained 
whether the source is local or remote. In other applications, the verifier 126 is configured to 
merely monitor, and time, transactions that routinely occur between a requesting device 122 
and an access device 132, to detect abnormally long response times. In other applications, the 
verifier 126 may merely control the order of occurrence of routine data access requests. For 

20 example, when reading information from an user's identification device, the verifier 126 may 
be configured to sometimes ask for the user's name first, identification number next, 
fingerprint next, and so on; at a next session, the verifier 126 may ask for the identification 
number first, a voiceprint next, and so on, thereby preventing a pre-recorded sequence of 
responses. 

25 Similarly, in an application intended to prevent the downloading of data from 

a remote site, the verifier 126 in the example of FIG. 1 may merely request portions of the 
requested data in a different order sequence, to determine whether the requested data is local 
or remote. In like manner, to prevent the unauthorized download of information from a 
network, the verifier and time may be placed at the remote site, and configured to measure 

30 the transport time of the data. For example, in a conventional network having error-detection 
capabilities, the verifier may be configured to purposely transmit erroneous data, or an 
erroneous sequence of data, and measure the time duration until a request-for-retransmission 
occurs. If the receiving site is local, the request-for-retransmission should occur substantially 
quicker than if the receiving site is remote. In this example, the erroneous transmission 
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constitutes a "requests" for a "response" from the receiving system. These and other timing 
schemes will be evident to one of ordinary skill in the art. 

The foregoing merely illustrates the principles of the invention. It will thus be 
appreciated that those skilled in the art will be able to devise various arrangements which, 
although not explicitly described or shown herein, embody the principles of the invention and 
are thus within its scope. For example, although the invention is presented in the context of 
detecting responses that are abnormally slow, the principles of the invention can also be 
applied for detecting responses that are abnormally fast. For example, if a system is 
configured to read information from a magnetic strip on a card, there is an expected lag 
associated with the swiping of the card. If the information is provided without this lag, for 
example, from a computer that is configured to bypass the magnetic strip reader, a security 
alert may be warranted. These and other system configuration and optimization features will 
be evident to one of ordinary skill in the art in view of this disclosure, and are included 
within the scope of the following claims. 

The invention can be implemented by means of hardware comprising several 
distinct elements, and by means of a suitably programmed computer 
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1 . A security system comprising: 

a verifier that is configured to determine an authorization to process protected 
material, based on one or more responses to one or more requests, and 

a timer that is configured to measure response times associated with the one 
or more responses to the one or more requests; 

wherein 

the verifier is configured to determine the authorization based at least in part 
on an assessment of the response times. 



2. The security system of claim 1 , wherein 

the verifier is configured to form the assessment based on at least one of: 
an average of the response times, 

a comparison of the response times to one or more threshold times, 

and 

a statistical test based on the response times. 



3. The security system of claim 1, wherein 

the verifier is configured to provide the one or more requests, based on a 
random selection of one or more items to request. 

4. The security system of claim 1 , wherein 

the response times are correlated to a physical proximity between a first source 
of the one or more requests and a second source of the one or more responses. 

5. The security system of claim 1 , wherein 

the assessment of the response times forms an assessment of whether the one 
or more responses were communicated via a network connection. 



6. 



The security system of claim I, further comprising: 
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a renderer that is configured to receive a plurality of data items corresponding 
to a data set, and to produce therefrom a rendering corresponding to a select data item, 

the verifier being operably coupled to the renderer, and configured to preclude 
the rendering corresponding to the select data item in dependence upon whether other data 
items of the plurality of data items are available to the renderer, and 

the timer being operably coupled to the verifier and the renderer, and 
configured to measure response times associated with responses to requests for the other data 
items from the renderer. 

7. A method for determining an authorization to process information based on a 
physical proximity between a receiver and a source of a plurality of data items, the method 
comprising: 

determining a response time of the source of the plurality of data items, and 
determining the authorization based on the response time. 

8. The method of claim 7, wherein 
determining the response time includes, 

for each data item of a subset of the plurality of data items: 

requesting the data item from the source at a first time, 
receiving the data item at a receiver at a second time, and 
accumulating a response time measure corresponding to a difference 
between the second time and the first time; and 

determining the response time based on the response time measure. 

9. The method of claim 8, wherein 

the response time measure corresponds to at least one of: 

an average of the differences between each second and first times, 
a count based on a comparison of each difference to one or more 

threshold times, and 

a statistical parameter based on the differences. 



1 0. A computer program product arranged for causing a processor to execute the 

method of claim 7. 
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